On the Circular Security of Bit-Encryption

(1)

On the Circular Security of Bit-Encryption

Ron Rothblum∗ March 7, 2012

Abstract

Motivated by recent developments in fully homomorphic encryption, we consider the folklore conjecture that every semantically-secure bit-encryption scheme is circular secure, or in other words, that every bit-encryption scheme remains secure even when the adversary is given encryptions of the individual bits of the private-key. We show the following obstacles to proving this conjecture:

1. We construct a public-key bit-encryption scheme that is plausibly semantically secure, but is not circular secure. The circular security attack manages to fully recover the private-key.

The construction is based on an extension of the Symmetric External Diffie-Hellman assumption (SXDH) from bilinear groups, to `-multilinear groups of order p where

`≥c·logpfor somec >1.

While there do exist `-multilinear groups (unconditionally), for ` ≥ 3 there are no known candidates for which the SXDH problem is believed to be hard. Nevertheless, there is also no evidence that such groups do not exist. Our result shows that in order to prove the folklore conjecture, one must rule out the possibility that there exist

`-multilinear groups for which SXDH is hard.

2. We show that the folklore conjecture cannot be proved using a black-box reduction. That is, there is no reduction of circular security of a bit-encryption scheme to semantic security of that very same scheme that uses both the encryption scheme and the adversary as black-boxes.

Both of our negative results extend also to the (seemingly) weaker conjecture that every CCA secure bit-encryption scheme is circular secure.

As a final contribution, we show an equivalence between three seemingly distinct notions of circular security for public-key bit-encryption schemes. In particular, we give a general search to decision reduction that shows that an adversary that distinguishes between en-cryptions of the bits of the private-key and enen-cryptions of zeros can be used to actually recover the private-key.

∗

(2)

1 Introduction

Modern cryptographic applications, both practical and theoretical, have led to the study of increasingly complex types of attacks on encryption schemes. For example, challenge plaintext attacks (CPA) and challenge ciphertext attacks (CCA) extend the classical notion of semantic security [GM84] by allowing an attacker access to encryptions of arbitrary messages of its choice (in the CPA model) and to a decryption oracle (in the CCA model).

A different type of attack that has been recently considered is when the attacker manages to obtain encryptions of messages that are related to the (private) decryption-key. The notion of key dependent message (KDM) security was first considered by Camenisch and Lysyanskaya [CL01] and (independently) by Blacket al.[BRS02]. Informally, an encryption scheme is KDM secure for a class of functionsF if it is infeasible to distinguish between an oracle that on input

f ∈ F outputs an encryption of f evaluated on the decryption-key and an oracle that just returns encryptions of zeros.

Perhaps the most basic type of KDM attack is one in which the attacker is just given an encryption of the entire decryption-key. Security with respect to such a KDM attack is also known as “circular security” since the key encrypts itself.1

While some encryption schemes have been proved to be circular secure under plausible cryptographic assumptions (e.g., [BHHO08, ACPS09]), it is natural to ask whether semantic security actually guarantees circular security. A folklore example shows that this is not the case: given any private-key encryption scheme we can slightly modify the encryption algorithm by checking if the input message is the (symmetric) key itself or not. If not, then the encryption proceeds as usual. But, if the input message equals the key, then the encryption algorithm is modified to output the key in the clear. The resulting scheme is still semantically secure2 _and

yet it is not circular secure, since an adversary that gets an encryption of the key trivially breaks security. The counterexample can be easily extended to the public-key setting by having the encryption algorithm check whether a given input message functions as a “good” decryption-key.3

The foregoing counterexample shows that, in general, semantic security does not suffice for circular security. Motivated by recent developments in fully homomorphic encryption (see Section 1.2), we restrict our attention to a specific class of encryption schemes - those that encrypt their input bit-by-bit (also called bit-encryption schemes).4 Thus, we ask whether every

bit-encryption scheme that is semantically secure is also circular secure. An alternative way to phrase the question is whether every semantically secure (either private-key or public-key) encryption scheme remains secure even if the adversary is given encryptions of the individual bits of the decryption-key (in order, of course).

At this point it is worthwhile to point out two ways in which the counterexample (for full fledged encryption schemes) uses the fact that the encryption algorithm is given the entire decryption-key as its message:

1. It is easy to identify when the decryption-key is given as the input message to the

encryp-1_{Circular security may also refer to larger key cycles were there are}_t_{keys arranged in a directed cycle and}

the adversary sees encryptions under every key of its next neighbor’s key. We only consider the caset= 1.

2

Semantic security follows from the fact that the probability that the message (which is selected before the keys) equals the key is negligible.

3

The (public-key) encryption algorithm can do so by encrypting sufficiently many random messages and checking whether the given input message (used as a decryption-key) correctly decrypts these ciphertexts.

4

(3)

tion algorithm (trivially in the private-key setting and almost as easily in the public-key setting); and

2. In the semantic security setting, the event that the message equals the decryption-key is sufficiently rare that we can modify the encryption algorithm to handle this event in a special way without jeopardizing security.

In the case of bit-encryption schemes both properties no longer hold and constructing a counterexample seems to be more difficult.5 _{In fact, the above has led to a folklore conjecture,}

which we call the bit-encryption conjecture, that every secure bit-encryption scheme (either private-key or public-key) is in fact circular secure. Let us state this as:

Conjecture 1(Bit-Encryption Conjecture). Every semantically secure public-key bit-encryption scheme is circular secure.

The focus of this work is to show obstacles to proving the validity of this conjecture. Focusing on the public-key case only strengthens our negative results since every public-key scheme is also a private-key scheme. (In Section 1.4 we also discuss the (seemingly) weaker conjecture that every CCA secure bit-encryption scheme is circular secure.)

1.1 Our Results

We address the question of circular security for bit-encryption schemes and show the following results:

A circular insecure bit-encryption scheme based on `-multilinear maps. We con-struct a (plausibly) semantically secure public-key encryption scheme for which, given encryp-tions of the bits of the decryption-key, it is possible to fully recover the decryption-key (i.e., the strongest type of attack). The security of our construction is based on an extension of the Sym-metric External Diffie-Hellman (SXDH) assumption (see [BGdMM05, FGHP09]) to multilinear groups, which we describe next.

An`-multilinear map is a (non-degenerate) mappinge:G1×· · ·×G`→GT whereG1, . . . , G`

andGT are cyclic groups of prime orderp, such that for everyg1∈G1, . . . , g` ∈G`, everyi∈[`]

and a∈_Zp it holds that

e(g1, . . . , gia, . . . , g`) =e(g1, . . . , g`)a.

Recall that, informally, the Decisional Diffie Hellman (DDH) assumption is said to hold in the cyclic group G if it is infeasible to distinguish between g, ga_{, g}b_{, g}ab _and _{g, g}a_{, g}b_{, g}c _where

g is a generator of G and a, b and c are random exponents. The standard SXDH assumption extends the DDH assumption to 2-multilinear (a.k.a bilinear) groups by stating that there exist groups (G1, G2) equipped with a bilinear map for which the DDH assumption holds (separately)

for each one of the groupsG1 and G2. We further extend the SXDH assumption by assuming that there exist `-multilinear groups for which DDH is hard in each one of the ` groups. For our result to hold we need`≥c·logpfor somec >1.

Since, for ` > 2, we do not have candidate `-multilinear groups for which we conjecture SXDH to be hard, we do not interpret our construction as a counterexample, but rather as an obstacle to proving the bit-encryption conjecture (Conjecture 1). Our construction shows that

5

(4)

in order to prove that every semantically secure bit-encryption scheme is circular secure one would have to rule out the existence of `-multilinear groups for which SXDH is hard.

The possibility of constructing`-multilinear group schemes for which discrete log is hard was previously considered by Boneh and Silverberg [BS03], who showed cryptographic applications of multilinear maps as well as difficulties in constructing such group schemes based on known techniques in algebraic geometry. We note that [BS03] only considered the special case of

G1 ≡. . . ≡G` and the hardness of discrete log for G1 (in fact, if G1 ≡ . . .≡ G` then SXDH

becomes trivially easy6).

Impossibility of black-box reductions. We show that a black-box reduction cannot be used to prove the bit-encryption conjecture. Our black-box impossibility result differs from standard black-box impossibility results in that we do not consider the possibility ofconstructing

a circular secure bit-encryption from any semantically-secure bit-encryption but rather the question of whether every semantically secure bit-encryption isby itself already circular secure. In other words, we prove that there cannot exist a general black-box reduction that trans-forms any circular security attack into a semantic security attack. By black-box we mean that the reduction uses both the attack and the primitive (in our case the encryption scheme) in a black-box manner (for a discussion of different types of black-box separations, see [RTV04]).

From indistinguishability to key-recovery. We show an equivalence between three natural notions of circular security for public-key bit-encryption schemes. In all three scenarios we give the adversary access to an oracle that on input i returns an encryption of the i-th bit of the decryption-key. We refer to this oracle as the KDM oracle. The three security notions differ in the task that a hypothetical adversary, which has access to the KDM oracle, has to accomplish in order to be deemed successful (i.e., break security). We consider the following possible tasks:

1. The adversary needs to fully recover the decryption-key.

2. The adversary gets as input an encryption of a random bit and needs to guess the value of this bit.

3. The adversary is given access to either the KDM oracle or an oracle that always returns encryptions of 0 and needs to distinguish in which of the two cases it is. This is the standard notion of circular security as defined in [CL01, BRS02].

We show that the three foregoing notions are actually equivalent. In particular, this result implies a general search to decision reduction that transforms any circular security distinguisher into an adversary that, given access to the KDM oracle, can fully recover the decryption-key

d. (In contrast, in the setting of semantic security, finding the key can be a much harder task than recovering the message from the ciphertext.)

1.2 Connection to Fully Homomorphic Encryption and Full KDM Security

Other than being an interesting and natural question on its own, the question of circular security for bit-encryption schemes is further motivated by recent breakthroughs in the construction of fully homomorphic encryption schemes (FHE) and fully KDM secure encryption schemes.

6

Using the fact that the groups are equals, we can solve DDH inG1. Specifically, giveng, ga, gb, gc∈G1 just

comparee(ga_{, g}b_{, g, . . . , g}_{) and}_e₍_gc_{, g, . . . , g}_{), where we use the fact that}_gb_∈_G

2 =G1. Ifc=abthen equality

(5)

Fully Homomorphic Encryption. Informally, an FHE is an encryption scheme for which given an encryption of a messagemandany circuitC, one can compute an encryption ofC(m) without knowing the decryption-key.

Gentry [Gen09] constructed the first FHE and gave a general technique called bootstrapping for the construction of FHE schemes. Gentry’s idea is to first construct an encryption scheme that is somewhat homomorphic (that is, homomorphic with respect to some limited class of circuits), and then, using the bootstrapping technique, to transform it into an FHE. The boot-strapping technique inherently uses the assumption that the underlying somewhat homomorphic encryption is circular secure.7 Since most of these schemes are bit encryption schemes and their circular security is only conjectured and not proved (based on their semantic security), the question of circular security for bit-encryption is especially important for the construction of secure FHE. In particular, proving the bit-encryption conjecture would establish the existence of an FHE based solely on (say) the hardness of the learning with errors (LWE) problem (see [BV11]).

Our KDM equivalence theorem for bit-encryption (see end of Section 1.1) is also of particular interest to the current candidate FHE schemes. As alluded to above, the theorem implies that a KDM distinguisher can be used to construct an attacker thatgiven access to the KDM oracle

actually finds the decryption-key. However, for the current candidate fully homomorphic bit-encryption schemes, the KDM oracle can actually be simulated using only the public-key.8 Thus, the equivalence theorem gives a generic (and simple) search to decision reduction for these schemes that transforms any attack that breaks semantic security into an attack that finds the decryption-key (without using an external KDM oracle).

Full KDM Security from Semantic Security. An additional motivation for the study of the circular security of bit-encryption schemes arises from the recent work of Applebaum [App11] (following [BHHI10, BGK11]) who showed an amplification theorem for KDM security. Specifically, [App11] showed that an encryption scheme that is KDM secure for any fixed class of polynomial-size circuits, can be constructed from an encryption scheme that is KDM secure only with respect to the class of projections and negation of projections (i.e., any function f

of the form f(d) = di or f(d) = 1−di). Thus, proving a slightly stronger variant of the

bit-encryption conjecture would imply that semantic security is a sufficient assumption for the construction of a very strong form of KDM security.

1.3 Comparison of our Black-Box Impossibility Result with [HH09]

Haitner and Holenstein [HH09] gave the following two black-box impossibility results regarding the construction of KDM secure encryption schemes:

1. There exists no fully black-box reduction from an encryption scheme that is secure for a class of KDM functions to a collection of trapdoor permutations, if the class of KDM functions contains a collection of poly(n)-wise independent hash functions.

7_{Actually, there are two variants of the bootstrapping technique. The one that we refer to assumes circular}

security and constructs an FHE. The other variant does not assume circular security but only achievesleveled

FHE (i.e., an encryption scheme that is homomorphic with respect to any circuit of some apriori fixed depth) and also expands the public-key by a multiplicative factor that is linear in the depth of supported circuits.

8

(6)

2. There exists no fully black-box construction of an encryption scheme that is secure for a class of KDM functions to any cryptographic game, if the reduction treats the KDM functions as a black-box.

Circular security of bit-encryption corresponds exactly to KDM security with respect to the class of projection functions. The results of [HH09] do not apply to this class of KDM functions because (1) the class of projection functions does not include a collection of poly(n )-wise independent hash functions, and (2) we consider a concrete class of KDM functions and the reduction may make arbitrary (non-black-box) use of these functions. Therefore our black-box impossibility is not covered by the results of [HH09].

We also wish to point out that [HH09] ruled out a wide range of constructions of KDM secure encryption schemes. Our black-box impossibility result, on the other hand, only rules out the possibility of proving (via a black-box reduction) that every semantically secure bit-encryption scheme is also circular securewithout any modification to the encryption scheme. In other words, we do not rule out the possibility that there exists a black-box construction of a circular secure bit-encryption scheme from any semantically secure bit-encryption scheme.

1.4 Chosen Ciphertext Security vs. Circular Security

Recall that an encryption scheme is CCA-2 secure if it is semantically secure even when the attacker has access to a decryption oracle that decrypts any ciphertext other than the challenge ciphertext.

Since we show difficulties to proving that every semantically secure bit-encryption is circular secure, it is natural to ask whether a stronger notion of security, such as CCA security, might instead suffice. We first note that our black-box impossibility result extends also to this case. That is, we show that there is no blackbox reduction of circular-security even to CCA-2 security. Actually, assuming the existence of doubly-enhanced trapdoor permutations, the conjecture that every CCA bit-encryption scheme is circular-secure is equivalent to the bit encryption con-jecture. This equivalence follows from the fact that the Naor-Yung paradigm [NY90] transforms a semantically secure but circular insecure scheme into a CCA secure but circularinsecureone.9

Using this observation we can extend our construction of a circular-insecure bit-encryption scheme (based on multilinear SXDH, see Section 3) to a CCA-2 secure but circular-insecure bit-encryption scheme (assuming, in addition to multilinear SXDH, the existence of doubly-enhanced trapdoor permutations).10

Remark. We also mention that the converse direction that asks whether every circular secure bit-encryption scheme is also CCA secure is in fact false (assuming that there exist circular secure bit-encryption schemes at all). For example, taking any circular secure scheme and modifying it by adding to the public-key an encryption of the decryption-key, yields a scheme that is circular secure but is not even CCA-1 secure.

9

Recall that the Naor-Yung paradigm consists of a double encryption of the plaintext using independent keys and a non-interactive zero-knowledge (NIZK) proof of consistency. A circular security attack on the underlying scheme immediately translates into a circular security attack on the constructed CCA secure scheme. Note that the Naor-Yung transformation can be made to achieve not only CCA-1 security but even CCA-2 security (see [Sah99] or [Lin06]).

10

(7)

Organization

In Section 2 we define KDM security and the cryptographic assumptions that we will use. In Section 3 we present our “multilinear map” based circular insecure bit-encryption scheme. In Section 4 we prove the equivalence of three notions of KDM security. Finally, in Section 5, we present our black-box impossibility result.

2 Preliminaries

We denote by x∈_RS a random variablex that is uniformly distributed in the setS.

2.1 Public-Key Encryption

A public-key encryption scheme consists of three probabilistic polynomial-time algorithmsKeyGen,

EncandDec. The key generation algorithm,KeyGen, when given as input a security parame-ter 1n, outputs a pair (e, d) of poly(n)-bit long encryption and decryption keys. The encryption algorithm,Enc, on input an encryption-key eand a messagem∈ {0,1}∗, outputs a ciphertext

c, whereas the decryption algorithm,Dec, when given the ciphertext cand the decryption-key

d, outputs m. We say that the encryption scheme is correct if for every message m and every valid key-pair (e, d) it holds thatDecd(Ence(m)) =m.

In this work we restrict our attention to bit-encryption scheme (i.e., m ∈ {0,1}). We first define the classical notion of semantic security restricted to single-bit encryption:

Definition 2. A public-key bit-encryption scheme is semantically-secure if for every probabilis-tic polynomial-time adversary A it holds that

Pr

(e,d)←KeyGen(1n₎ b∈R{0,1}

[A(e, Ence(b)) =b]<

1

2+ neg(n).

Next, we define chosen ciphertext attack (CCA) security for bit-encryption. In this work we only consider the stronger notion of CCA-2:

Definition 3. A public-key bit-encryption scheme is CCA-2 secure if for every probabilistic polynomial-time adversary A it holds that

Pr

h

ADec0d₍_{e, Enc}_e₍_b_{)) =}_b i

< 1

2 + neg(n)

where Dec0_d is an oracle that on inputcreturns⊥ifc=Ence(b)is the challenge ciphertext and

otherwise returns Decd(c) (i.e., decrypts the ciphertext).

2.2 KDM and Circular Security for Bit-Encryption

To model KDM security we need to specify what information is given to the adversary and what it means for the adversary to break security. The former is the simpler of the two -we simply give the adversary access to an oracle (henceforth called the KDM oracle) that on input i returns an encryption of the i-th bit of the decryption-key. Formally, for a pair (e, d) of encryption and decryption keys, we define an oracle Oe,d(i) which on inputi∈[|d|] returns

Ence(di).

(8)

definition of security) that we consider is full key recovery. Security against this type of attack means that no efficient adversary, which gets encryptions of the individual bits of the decryption-key, can find the entire decryption-key. Using the definition of the oracle Oe,d we can define

circular security of bit-encryption with respect to key-recovery:

Definition 4. A public-key bit-encryption scheme(KeyGen, Enc, Dec) is circular secure with respect to key recovery if for every probabilistic polynomial-time oracle machineA it holds that

Pr

(e,d)←KeyGen(1n₎

AOe,d₍_e_{) =}_d_<_neg(_n₎_.

It is worth noting that, in contrast to the semantic security setting, in the KDM setting the decryption-key is information theoretically determined and therefore there is at least some hope to recover the actual decryption-key used by the scheme.11

Next, we consider an adversary that is given an encryption of a random bit, as well as access to the KDM oracle, and needs to guess the value of the bit:

Definition 5. A public-key bit-encryption scheme is circular secure with respect to message recovery if for every probabilistic polynomial-time oracle machine A it holds that

Pr

(e,d)←KeyGen(1n₎_, b∈R{0,1}

AOe,d₍_{e, Enc}

e(b)) =b

< 1

2+ neg(n).

Lastly, we consider the standard definition of circular security as put forth by [CL01, BRS02]. Their definition requires that if be infeasible for an adversary to distinguish between the KDM oracle and an “all zeros” oracle that always returns encryptions of 0. Formally, for an encryption-key e, we define Je to be an oracle that on input i just returns Ence(0) (i.e., an encryption

undereof the bit 0). In contrast to the two prior definitions, indistinguishability of oracles does not inherently imply semantic security and therefore we explicitly add this requirement.

Definition 6. A semantically-secure public-key bit-encryption scheme is circular secure with respect to indistinguishability of oraclesif for every probabilistic polynomial-time oracle machine A it holds that

Pr

AOe,d₍_e_{) = 1}₋ _Pr

AJe₍_e_{) = 1}

<neg(n).

In Section 4 we show that the three notions of circular security presented above are actually equivalent.

2.3 Hardness assumptions in bilinear and `-multilinear groups

We first define bilinear and`-multilinear maps and then define the computational assumptions that we use.

An `-multilinear map is a non-degenerate12 function e : G1 × · · · ×G` → GT, where

G1, . . . , G`, GT are cyclic groups of prime order p such that for every g1 ∈ G1, . . . , g` ∈ G`,

everyi∈[`] and a∈_Zp, it holds that:

e(g1, . . . , gia, . . . , g`) =e(g1, . . . , g`)a.

11_{In the semantic security model, there may be many decryption keys corresponding to the same}

encryption-key and a semantic security adversary (which only has access to functions of the encryption-encryption-key) cannot hope to always find the particular decryption-key being used.

12

(9)

An `-multilinear group scheme is an algorithm that for every security parameternproduces a description of`+ 1 groups of order p(where p is ann-bit prime) together with an efficiently computable`-multilinear map that maps the first` groups to the (`+ 1)-th group:

Definition 7. Let ` = `(n) be a polynomially bounded function. An `-multilinear group scheme is a probabilistic polynomial-time algorithm GS that on input 1n outputs the param-eters params= (p,(G1, . . . , G`, GT),(g1, . . . , g`, gT), e) where 2n−1 < p <2n is an n-bit prime,

G1, . . . , G` andGT are concise descriptions of`+ 1groups of order p(that allow efficient

evalu-ation of the group operevalu-ation), with the respective generatorsg1, . . . , g`, gT ande:G1×· · ·×G` →

GT is a concise description of an efficiently computable`-multilinear map.

For every ` there exist trivial examples of`-multilinear group schemes. However, our com-putational hardness assumptions do not hold for these trivial examples.13 _{In fact, for}_`_≥_{3 we}

do not know of a candidate `-multilinear group scheme for which the discrete log problem is believed to be hard (in any of the groups). Nevertheless, there is also no negative evidence that such group schemes do not exist. For `≤2 there do exist candidate group schemes for which discrete log is conjectured to be hard (discussed next).

Computational Assumptions. Loosely speaking, the DDH assumption for a cyclic groupG

states that the distributions (g, ga, gb, gab) and (g, ga, gb, gc) are computationally indistinguish-able, wheregis a generator of Ganda, band care random exponents. The SXDH assumption (introduced by [BGdMM05, FGHP09]) extends DDH to 2-multilinear (a.k.a bilinear) groups by assuming that there exist groupsG1, G2 equipped with a bilinear map such that the DDH

as-sumption holds for bothG1 andG2 (separately). We further extend SXDH to the`-multilinear

SXDH assumption which states that there exists an`-multilinear group scheme for which DDH is hard for all`groups G1, . . . , G`. Note that 1-multilinear SXDH corresponds exactly to DDH

and that 2-multilinear SXDH corresponds to the standard SXDH assumption. We emphasize that we only have candidate group schemes for which the `-multilinear SXDH assumption is conjectured to hold for`≤2 (see [BGdMM05, FGHP09]).

Definition 8. The `-multilinear SXDH assumption states that there exists an `-multilinear group scheme GS such that for every function i:N→N for which i(n) ∈[`(n)], the following

ensembles are computationally indistinguishable:

1. {params, i(n), ga

i(n), gbi(n), gabi(n)}n∈N; and

2. {params, i(n), g_ia₍_n₎, gb_i₍_n₎, gc_i₍_n₎}n∈N

where a, b, c ∈R Zp and params def= (p,(G1, . . . , G`, GT),(g1, . . . , g`, gT), e) is distributed as

GS(1n).

3 A Circular Insecure Bit-Encryption Scheme

In this section we show a construction of a bit-encryption scheme (KeyGen, Enc, Dec) that is (plausibly) semantically secure but is not circular secure. In Section 3.1 we present the construction. In Section 3.2 we prove that the construction is correct and semantically secure

13

A trivial example of an `-multilinear group scheme is when G1, . . . , G` are all the additive group mod p. Since exponentiation in the additive group corresponds to modular multiplication, being multilinear means that for every a, z1, . . . , z` ∈ Zp it holds that e(z1, . . . , a·zi, . . . , z`) = a·e(z1, . . . , z`). Hence, the mapping e(z1, . . . , z`) = Q`i=1zimodp is a multilinear map for these groups. Note however that discrete log in the

(10)

(based on the hardness of `-multilinear SXDH, for ` ≥ c·logp for some constant c > 1). In Section 3.3 we use the multilinear map to show a circular security attack on the scheme.

Notation. For a matrixX, we letX[i, j] denote the (i, j)-th entry ofX.

3.1 The Encryption Scheme

LetGS be any`-multilinear group scheme (as in Definition 7).

Construction 9. Consider the following public-key bit-encryption scheme(KeyGen, Enc, Dec):

KeyGen(1n)

1. Invoke the group scheme algorithm to obtain params ← GS(1n) (where params = (p,(G1, . . . , G`, GT),(g1, . . . , g`, gT), e)).

2. Select X ∈RZ2p×` (i.e., a 2×` matrix with random entries in Zp).

3. Set U =

"

g₁X[0,1] g₂X[0,2] . . . g_`X[0,`] g₁X[1,1] g₂X[1,2] . . . g_`X[1,`]

#

.

4. Select s∈_R{0,1}` _{and set} _α ₌P`

i=1X[si, i] modp.

5. The (public) encryption-key is (params, U, α) and the (private) decryption-key is

(X, s).

Enc₍_params,U,α₎(σ) (where σ∈ {0,1})

1. Select at random r1, . . . , r`∈RZp.

2. Output (gr1

1 ,(U[σ,1])r1), . . . ,(g

r`

` ,(U[σ, `])r`).

Dec₍_X,s₎((c1, d1), . . . ,(c`, d`))

1. If cX₁ [0,1]=d1 output 0 and otherwise output 1.

Before proceeding to the proof of correctness and security, we wish to highlight a few points. First, we note that both α and sare not used by the encryption or decryption algorithms and seem unneeded. Second, we note that (ignoring the presence of α in the public-key) even by setting ` = 1 we obtain a secure encryption scheme (under DDH) and it is not clear why we need a larger` (recall that we need` >>logp).

The reason for the existence of α and s is (solely) to help the KDM attacker whereas the large value of ` helps maintain semantic security despite the fact that α is revealed in the public-key.14 The key idea is that in the semantic security setting, an attacker has essentially no information about s (because ` is sufficiently large that α looks random) whereas, in the KDM setting, the attacker can obtain additional information about s(specifically encryptions of the bits ofs) and can use this additional information to verify that α is consistent with s.

The above gives us a way to distinguish between the KDM oracle and the all zeros oracle thereby breaking circular security with respect to indistinguishability of oracles. (Using the results of Section 4 this attack can be transformed into a full key-recovery attack.)

14

(11)

3.2 Correctness and Semantic Security of Construction 9

In this section we show that Construction 9 is both correct (i.e., the decryption of an encryption recovers the original message) and semantically secure.

Correctness. Consider a pair of encryption and decryption keys ((params, U, α),(X, s)) and let ((c1, d1), . . . ,(c`, d`)) be an encryption of a bit σ ∈ {0,1}. If σ = 0 then d1 = cX1[0,1] and

the ciphertext decrypts correctly to 0. If σ = 1 then d1 = cX₁[1,1] and therefore, except with negligible probability, d1 6=cX1 [0,1]. Hence, the ciphertext decrypts correctly to 1 (except with

negligible probability).

Note that we can easily eliminate the negligible decryption error by sampling X from a statistically close distribution in whichX[0,1]6=X[1,1].

Semantic Security. An adversary attempting to break the semantic security of Construc-tion 9 sees the public-key (params, U, α) and an encryption of a random bit σ and needs to find σ (with non-negligible advantage). As a first step to proving semantic security, consider replacing the selection ofαin the key generation process by a uniform randomβ∈RZp (instead

of the sum of a random subset). We show that view of the adversary in the resulting scheme is statistically close to its view in the original scheme.

Claim 10. For everyn∈_N, the distribution(X, α)and(X, β)are 1₂q₂p`-close in statistical

dis-tance wherep, X andαare distributed as in the key generation process and β is an independent random number in Zp.

Proof. Follows directly from the leftover hash lemma15 [HILL99] by observing that the family of functions {HX :{0,1}`→ Zp}X defined asHX(s) =P`i=1X[si, i] modp is a universal hash

function family.

Since an adversary attempting to break the security of the scheme does not see any infor-mation on s, it is enough to prove that the scheme is secure if α were replaced by β ∈R Zp.

Note that we crucially use the fact thatinformation theoretically sis completely undetermined by the view of the adversary. In contrast, in the KDM setting, where the adversary can see encryptions of the bits of sthis fact no longer holds and our attack exploits this to break the KDM security of the scheme (see Section 3.3).

Lemma 11. Assuming the `-multilinear SXDH assumption, for ` ≥ c·logp for some c > 1, it holds that for every σ ∈ {0,1}, the following two distributions are computationally indistin-guishable:

• params, U, β,(gr1

1 ,(U[σ,1])r1), . . . ,(g

r`

` ,(U[σ, `])

r`₎_{; and}

• params, U, β,(gr1

1 , g

s1

1 ), . . . ,(g

r` ` , g

s` ` )

whereparams andU are selected as in the key-generation process and β, r1, . . . , r`, s1, . . . , s` ∈R Zp.

Note that the by Claim 10 (and since ` > c·logp for some constant c > 1), the first distribution is statistically close to a public-key of the scheme together with an encryption of a bitσ and the second distribution contains no information aboutσ. Hence, the semantic security of the scheme follows directly from Lemma 11.

15_{A simplified version of the leftover hash lemma states that if}_h_{is selected at random from a universal hash}

function family fromX toY then the distribution (h, h(x)) and the distribution (h, y) are 1₂

q

|Y|

(12)

Proof. The straightforward proof is by a hybrid argument and an application of the`-multilinear SXDH assumption. Details follow.

For a bit σ∈ {0,1}, letHn(i) denote the hybrid distribution:

H_n(i)def= params, U, β,(gr1

1 ,(U[σ,1])r1), . . . ,(g

ri

i ,(U[σ, i])ri),(g ri+1

i+1 , g

si+1

i+1 ), . . . ,(g

r` ` , g

s` ` )

Note that the two extreme hybrids Hn(0) and Hn(`) correspond exactly to the distributions of

Lemma 11. Suppose toward a contradiction that there exists a probabilistic polynomial-time distinguisher Dthat distinguishes between the two distributions. In other words:

Pr[D(H

(0)

n ) = 1]−Pr[D(Hn(`)) = 1] >

1

poly(n) (1)

Therefore, there must exist j ∈[`] such that D distinguishes between the two neighboring hybrid distributions Hn(j−1) andHn(j):

Pr[D(H

(j−1)

n ) = 1]−Pr[D(Hn(j)) = 1] >

1

poly(n) (2)

We useDto break the`-multilinear SXDH assumption. To do so we need to show a polynomial-time distinguisher D0 and a functioni:N→N(with i(n)∈[`(n)]) for which

Pr h

D0(params, i(n), ga_i₍_n₎, g_ib₍_n₎, g_iab₍_n₎) = 1

params←GS(1

n₎_{, a, b}_∈ RZp

i

−Pr

h

D0(params, i(n), ga_i₍_n₎, g_ib₍_n₎, g_ic₍_n₎) = 1

params←GS(1

n₎_{, a, b, c}_∈ RZp i

<neg(n)

(That is,D0 gets as input (params, i(n), gi(n), g_ia₍_n₎, gb_i₍_n₎, g_ic₍_n₎) and needs to decide whether c=abor is an independent random number in Zp.)

Consider the function ithat for every n in the infinite set ofn’s for which D distinguishes between the (j−1)-th hybrid and the j-th hybrid just equalsj (and for other n equals some arbitrary value). For sake of simplicity we write idef= i(n) in the following.

In order to distinguish,D0 first generates a matrixU as in the key generation of the scheme with respect to params(which are part of its input) by taking random exponents ofg1, . . . , g`.

FromU, the distinguisher generates a matrixU0 which is the same asU0 except that the (σ, i )-th entry ofU is replaced withg_ia (note that U0 is still distributed identically to a matrixU of the encryption-scheme). The distinguisher D0 then selectsβ, r1, . . . , r`, si+1, . . . , s` ∈R Zp and

outputsD(params, U0, β, µ) where

µ=

gr1

1 ,(U

0_[_σ,_1])r1

, . . . ,

gri−1

i−1 ,(U

0_[_{σ, i}₋_1])ri−1

,

g_ib, g_ic

,

gri+1

i+1, g

si+1

i+1

, . . . ,

gr` ` , g

s` `

.

Observe that in that casec=abthe input toDis identically distributed toHn(i) and in the

case that cis random inZp the input is identically distributed toHn(i−1). Thus, for the infinite

set for which Eq. (2) holds, D0 distinguishes between the two distributions.

Remark. We can extend Construction 9 also to the case`=c·logpfor 0< c <1, assuming that the subset sum assumption holds. Specifically, using the fact that subset sum is a pseu-dorandom generator (if it is one-way, see [IN89]), we can replace the use of the leftover hash lemma in the proof of semantic security with the subset sum assumption over Zp (assuming

(13)

3.3 The KDM Attack

We show a distinguisher that breaks thecircular security with respect to indistinguishability of oracles (Definition 6) of Construction 9. Using Theorem 12, we can obtain a KDM attack that breakscircular security with respect to key recovery (Definition 4).

Our distinguisher gets as input a public-key and has access to either the KDM oracle that on input ireturns an encryption of thei-th bit of the decryption-key or to the all-zeros oracle that always returns an encryption of 0. The goal of the distinguisher is to distinguish between the two cases.

Consider the following distinguisher which has access to an alleged KDM oracle and gets as input an encryption-key (params, U, α):

1. Fori= 1, . . . , `:

(a) Query the oracle for an encryption ((c1, d1), . . . ,(c`, d`)) of si (thei-th bit ofs).

(b) Setyi =ci andzi =di.

2. If e(y1, . . . , y`)α ≡p Q`i=1e(y1, . . . , yi−1, zi, yi+1, . . . , y`) then output 1 and otherwise

out-put 0 (where≡p denotes congruence modp).

We first show that when using the KDM oracle, the distinguisher always outputs 1. Indeed, in this case yi=giri andzi =g

ri·X[si,i]

i . Therefore,

` Y

i=1

e(y1, . . . , yi−1, zi, yi+1, . . . , y`)≡p ` Y

i=1 e(gr1

1 , . . . , g

ri−1

i−1, g

riX[si,i] i , g

ri+1

i+1, . . . , g

r` ` ) ≡p ` Y i=1 e(gr1

1 , . . . , g

r` ` )

X[si,i]

≡_p e(gr1

1 , . . . , g

r` ` )

P`

i=1X[si,i] modp ≡_p e(y1, . . . , y`)α

and so the distinguisher outputs 1 in this case.

Next, consider the case that the distinguisher uses the all zeros oracle. In this case we yet again haveyi =g_iri but nowzi =gri

·X[0,i]

i and so we have: `

Y

i=1

e(y1, . . . , yi−1, zi, yi+1, . . . , y`)≡p ` Y

i=1 e(gr1

1 , . . . , g

ri−1

i−1 , g

ri·X[0,i] i , g

ri+1

i+1 , . . . , g

r` ` ) ≡p ` Y i=1 e(gr1

1 , . . . , g

r` ` )

X[0,i]

≡_p e(y1, . . . , y`) P`

i=1X[0,i] modp_.

But, since the group GT is cyclic, it holds that:

Prhe(y1, . . . , y`)α ≡p e(y1, . . . , y`) P`

i=1X[0,i] modp

i

= Pr

" _` X

i=1

X[si, i]≡p ` X

i=1 X[0, i]

#

≤2−`+1

p.

(14)

4 Equivalence of KDM Notions for Bit-Encryption

In this section, we establish an equivalence between the three notions of circular security for bit-encryption that were defined in Section 2.2.

Theorem 12. For every public-key bit-encryption scheme the following are equivalent:

1. The scheme is circular secure with respect to key recovery.

2. The scheme is circular secure with respect to message recovery.

3. The scheme is circular secure with respect to indistinguishability of oracles.

In particular, Theorem 12 implies that an adversary that merely distinguishes between a KDM oracle and an all zeroes oracle with a non-negligible gap can be used to fully recover the decryption-key.

Lemma 13. Every public-key bit-encryption scheme that is circular secure with respect to key recovery is also circular secure with respect to message recovery.

We give a sketch of the proof, for the full proof see Appendix A.

Proof Sketch. Let (KeyGen, Enc, Dec) be a public-key bit-encryption scheme, and suppose that there exists an adversary A that has access to the KDM oracle and is given as input an encryption-keyeand an encryption of a random bitband manages to guessbwith non-negligible advantage. We useAto construct a key-recovery adversary (which also has access to the KDM oracle).

Intuitively, it seems as though in order to find di (the i-th bit of the decryption-key d),

the key-recovery adversary can just invoke its KDM oracle on i to obtain ci = Ence(di) and

then runAon input (e, ci) (while answeringA’s oracle queries using its own KDM oracle). The

intuition is that sinceAis a message recovery attacker, it should output the bitdi. The problem

with this intuition is thatA is only guaranteed to work when given an encryption of a random bit that isindependent of the decryption-key (which is obviously not the case for di).

We resolve this problem by restricting our attention to the setSof all keys (e0, d0) for whichA

manages to recover messages with non-negligible advantage. We make two simple observations:

1. The set S contains a polynomial fraction of the keys (this follows from the fact that A

has a non-negligible advantage over all key pairs).

2. If a fixed key pair (e, d) is in S, then there should be a non-negligible gap between the distributionA(e, Ence(0)) and the distributionA(e, Ence(1)).

Note that for a fixed (e, d), the distributionA(e, Ence(di)) is exactly A(e, Ence(0) ifdi= 0

and A(e, Ence(1)) if di = 1. Therefore, to find di we approximate the following probabilities:

• The probabilityµ0 thatA outputs 1 when given an encryption of 0.

• The probabilityµ1 thatA outputs 1 when given an encryption of 1.

• The probabilityν thatAoutputs 1 when given an encryption ofdi. (To approximate this

(15)

We guess that di is the bit b such that ν is closer to µb than to µ1−b and we are correct

with overwhelming probability (over the coins used for the approximations). By repeating this procedure for every i∈[|d|] we obtain an overwhelming probability of finding d for every (e, d) ∈S. Since S is sufficiently large, this gives us a non-negligible probability of finding D

even for a random key-pair (e, d).

Lemma 14. Every public-key bit-encryption scheme that is circular secure with respect to mes-sage recovery is circular secure with respect to indistinguishability of oracles.

We give a sketch of the proof, for the full proof see Appendix A.

Proof Sketch. Let (KeyGen, Enc, Dec) be a public-key bit-encryption scheme that is circular insecure with respect to indistinguishability of oracles. That is, there exists an adversary A

that gets as input an encryption-keyeand access to an oracle that is either the KDM oracle or the all-zeros oracle and manages to distinguish between the two cases.16 We use Ato construct a circular security message recovery adversary A0 for the scheme.

For simplicity, assume that A is just given an encryption-key e and a list of ciphertexts

c1, . . . , c` (where ` is the length of the decryption-key d) and manages to distinguish between

the case that for everyithe ciphertextci is an encryption of thei-th bit of dand the case that

for everyithe ciphertext ci is an encryption of 0.17

We use a hybrid argument to argue that there exists an i ∈ [`] such that A, given input

e,(c1, . . . , c`), distinguishes between the following two cases:

1. c1, . . . , ci−1 are encryptions of the first i−1 bits ofdand ci, . . . , c` are encryptions of 0.

2. c1, . . . , ci are encryptions of the first ibits ofdand ci+1, . . . , c` are encryptions of 0.

The hybrid argument only tells us that A distinguishes the two cases for a random pair of keys. The first step of our message-recovery adversary A0 is to find i (this can be done by approximating the output distribution of A for every hybrid with respect to random key pair) and to check that A distinguishes between the two cases for the specific keys (e, d) (whereA0

uses the KDM oracle to generate the two neighboring distributions).

IfAdoes not distinguish between the two cases thenA0just outputs 0 and 1 with probability

1

2. If on the other hand, A does distinguish (and by the hybrid argument there is a

non-negligible probability for this event), then thei-th bit of dmust be 1 (otherwise the two cases are identically distributed), and thereforeA0 can decrypt its challenge ciphertext c by running

Aon c1, . . . , ci−1, c, ci+1, . . . , c` wherec1, . . . , ci−1 are encryptions of the firsti−1 bits of dand ci+1, . . . , c` are encryptions of 0. If c is an encryption of 0 then the input to A corresponds

to the (i−1)-th hybrid whereas if c is an encryption of 1 then the input corresponds to the

i-th hybrid. The fact thatA distinguishes between these two hybrids gives A0 a non-negligible advantage in guessing the value ofb.

To complete the equivalence theorem, we also need to show the following:

16

Actually, since Definition 6 explicitly requires semantic security, we may instead have an adversary that directly breaks semantic security. The same adversary also breaks circular security with respect to message recovery.

17

(16)

Lemma 15. Every public-key bit-encryption scheme that is circular secure with respect to in-distinguishability of oracles is also circular secure with respect to key recovery.

Intuitively, given a key recovery adversary we can obtain an indistinguishability of oracles adversary by running the key-recovery adversary using the alleged KDM oracle. If the oracle is indeed the KDM oracle then with non-negligible probability the adversary finds the key whereas if the oracle is the all zeros oracle then it should be infeasible to find the decryption-key. Since it is easy to check whether the output of the key-recovery adversary is a “good” decryption-key or not, we obtain a non-negligible advantage in distinguishing between the two oracles. See Appendix A for the full proof.

5 A Black-Box Impossibility Result

In this section we show that the bit-encryption conjecture cannot be proved by a black-box reduction. Actually, as discussed in Section 1.4, we prove a stronger result, that the circular security of every CCA-2 secure bit-encryption cannot be proved using a black-box reduction.

We start off by defining what we mean by a black-box reduction of circular security of bit-encryption to semantic security and to CCA-2 security:

Definition 16. Ablack-box reduction of circular security to semantic security for bit-encryption schemes is a probabilistic polynomial-time algorithm R such that for every encryption scheme

(KeyGen, Enc, Dec)and every circular security adversaryAfor which there exists a polynomial p and infinitely many n such that:

Pr

(e,d)←KeyGen(1n₎[A

Oe,d₍_e_{) = 1]}₋ _Pr

(e,d)←KeyGen(1n₎[A

Je₍_e_{) = 1]}

> 1

2 + 1

p(n)

there exists a polynomial p0 such that for infinitely many n:

Pr

[R(KeyGen,Enc,Dec),A(e, Ence(b)) =b]>

1 2 +

1

p0₍_n₎

where the probabilities are also over the coin tosses of all algorithms.

A black-box reduction of circular security to CCA-2 security is defined similarly except that the reductionR also has oracle access to the oracle Dec0_d that decrypts any message (using the decryption-key d) except for the challenge ciphertext.

We prove the following theorem:

Theorem 17. There exists no black-box reduction of circular security to semantic security for bit-encryption schemes. Furthermore, there also exists no fully black-box reduction of circular security to CCA-2 security for bit-encryption schemes.

Note that the furthermore clause actually implies the theorem since CCA-2 security implies semantic security. Therefore, to prove Theorem 17, it suffices to show a single encryption scheme and a successful circular security adversary for the scheme such that the scheme is CCA-2 secure even given access to the circular security adversary. Since we consider a reduction in which the circular security adversary is used in a black-box manner, we may even consider an inefficient

circular security adversary.

(17)

uniquely determined by e), then asks its oracle for encryptions of all the key bits, decrypts these ciphertexts to obtain d0₁, . . . , d0_n (where n =|d|) and outputs 1 ifd0 def= d0₁, . . . , d0_n equals

dand ⊥otherwise. Indeed, A breaks circular security and therefore, as stated above, to prove Theorem 17, it suffices to show a single encryption scheme for which it is infeasible to break semantic security even given oracle access to A.

Intuitively, we would like to argue that the adversary A specified above cannot be used to break the security of any CCA-2 secure encryption scheme (although to prove the theorem it suffices to show a single such scheme). The intuition is that for such schemes, it is infeasible, given only the encryption-key, to produce encryptions of all of the key bits.18 Therefore, it seems as though the reduction cannot use the circular security adversary A in any meaningful way and thatA can be simulated by always returning⊥. Thus, it seems as though the scheme remains CCA-2 secure even given oracle access to A.

The problem with the foregoing argument is that the reduction may decide to query Anot on its own challenge encryption-key e but on some related key e0. In such a case we can no longer argue thatAcan be simulated by just returning ⊥. While it seems strange for a generic

reduction (which should work for any CCA-2 encryption-scheme) to runA on keys other than its own, we cannot rule out this possibility.

We overcome this difficulty by restricting our attention only to reductions that also use the encryption-scheme as a black-box. Such reductions should also work when given an inefficient

encryption-scheme. We use this fact to construct a specific inefficient CCA-2 secure encryption scheme that has the additional important property that its encryption keys are totally unrelated. Therefore, intuitively, querying the adversaryAon a keye0 6=ecannot help the reduction break semantic security.

Proof of Theorem 17. We construct aninefficient encryption scheme (KeyGen, Enc, Dec) and an inefficient circular security adversary A for (KeyGen, Enc, Dec) such that no algorithmR

that makes only polynomially many oracle calls to (KeyGen, Enc, Dec) andAcan break CCA-2 security. The encryption scheme that we construct has two main properties:

1. Given only the encryption-key it is infeasible to generate encryptions of all of the bits of the private-key.

2. Encryption keys of the scheme are totally unrelated.

As is usual in black-box separations, our construction is randomized. That is, we construct a family of encryption schemes and consider a random encryption scheme in the family. Specif-ically, consider a totally random length tripling injective function G :{0,1}n _{→ {}₀_,₁_}3n _{and a}

collection of 2nrandom injective functionsE def= {Ee :{0,1} × {0,1}n→ {0,1}3n}e∈G({0,1}n₎. We

define the following family of encryption schemes (indexed by G,E):

KeyGen(1n) : select at randomd∈ {0,1}n _{and output (}_{e, d}_{) such that}_e₌_G₍_d_).

Ence(σ) : select at randomr ∈ {0,1}n and outputEe(σ, r).

Decd(c) : outputb∈ {0,1} if there exists anr∈ {0,1}nsuch thatc=Ee(b, r), wheree=G(d).

Otherwise output⊥.

Note that (KeyGen, Enc, Dec) essentially form an idealized encryption scheme and that there is no correlation between different encryption keys. Additionally, note that both the set

18_{If it were feasible to generate encryptions of all the key bits than a CCA attacker could use the decryption}

(18)

of encryption keys and the sets of ciphertexts are a random exponentially vanishing subset of

{0,1}3n _{and therefore a polynomially bounded adversary only has probability} poly(n)

22n <2−n to

produce a valid public-key or ciphertext without invoking the oraclesKeyGenand Enc. Consider the following inefficient circular security adversary for (KeyGen, Enc, Dec):

A(e,(c1, . . . , cn)) : output 1 if there existr1, . . . , rn∈ {0,1}nandd∈ {0,1}nsuch thatG(d) =e

and for everyi∈[n], it holds thatci =Ee(di, ri). Otherwise output⊥.

The attacker A indeed breaks the circular security (with respect to indistinguishability of oracles) of (KeyGen, Enc, Dec) forevery G,E. We proceed to show that the reduction cannot utilize A to break CCA-2. That is, we will show that for every probabilistic polynomial-time algorithm R and all sufficiently largenit holds that

Pr

G,E

(e,d)←G(1n₎ b∈R{0,1}

[R(KeyGen,Enc,Dec),A,Dec0d₍_{e, Enc}_e₍_b_{)) =}_b_]_< 1

2 + 2·2

−n

(3)

where the probability is also over the coin tosses of all the algorithms and Dec0_d is the aforementioned CCA-2 decryption oracle. The existence of a single G,E that is semantically secure follows (from standard black-box techniques, see [IR89]).

Our main step is to show thatR can essentially simulateA by itself. Once we get rid ofA, it is not hard to see thatR cannot break semantic security.

Claim 18. There exists a probabilistic polynomial-time algorithmR0 such that for all sufficiently large nit holds that

Pr

G,E

(e,d)←G(1n)

b∈R{0,1} h

R(KeyGen,Enc,Dec),A,Dec0d₍_{e, Enc}_e₍_b_{)) =}_b i

− Pr

G,E

(e,d)←G(1n₎ b∈R{0,1}

h

R0(KeyGen,Enc,Dec),Dec0d(e, Enc_e(b)) =b i

<2−n

Proof. Consider the reduction R0 that on input (e, c) just runs R(e, c) while monitoring R’s calls to the oracles KeyGen and Enc. The new reduction R0 keeps a list SKEY S of all

key-pairs (e0, d0) that R got in response to calls to KeyGen and a list SEN C of all pairs (σ, c) of

encryptions cof the bit σ that Encreturns with respect to e, the challenge encryption-key. Consider an execution of R using the oracle A. There are three possible types of queries

e0,(c1, . . . , cn) made toA thatR0 needs to simulate:

1. There exists a d0 such that (e0, d0)∈SKEY S: in this caseR0 knows the decryption-key d0

corresponding toe0 and therefore can perfectly simulate the response of Aby itself. 2. e06=eand there exists no d0 such that (e0, d0)∈SKEY S: since the set of valid encryption

keys only contains an exponentially vanishing random subset of 3n-length strings, except with probability poly(₂−2nn), it holds thate

0 _{is an invalid encryption-key and}_A_{should return}

⊥. Thus,R0 simulatesA by returning ⊥.

3. e0=e: we separate into two cases. In the first case at least one of the ciphertextsc1, . . . , cn

(19)

e only contains an exponentially vanishing random subset of 3n-bit strings, except with probability poly(₂2nn),A returns⊥in this case and therefore R0 just returns ⊥.

The second case is when c1, . . . , cn all appear in SEN C. In this case R0 can retrieve

from the list SEN C the corresponding plaintexts b1, . . . , bn. Now R0 can simulate A by

checking whetherKeyGen returnse when given the random stringb1, . . . , bn. If so then

b1, . . . , bn =d, the decryption-key and therefore R0 perfectly simulates A by returning 1.

On the other hand ifb1, . . . , bn6=dthenA can be simulated by returning⊥.

Since R only makes polynomially many queries, we have that the output of R0 is poly(₂2nn) <

2−n-close to that ofR.

Thus,R0 breaks the CCA-2 security of (KeyGen, Enc, Dec). However, the next claim shows thatno algorithm making polynomially many oracle queries can break the CCA-2 security of a random instance of (KeyGen, Enc, Dec):

Claim 19. For any (computationally unbounded) algorithmR0 that makes at most polynomially many oracle queries and for all sufficiently large n, it holds that

Pr

G,E,b∈R{0,1}

[R0(KeyGen,Enc,Dec),Dec0d₍_{e, Enc}_e₍_b_{)) =}_b_]_< 1

2+ 2

−n

See Appendix B for the straightforward proof.

From Claims 18 and 19 we obtain Eq. (3). Using standard techniques in black-box sep-arations (specifically an application of Markov’s inequality and the Borel-Cantelli lemma, see [IR89]), the latter implies that there exist specific oracles G and E for which the correspond-ing encryption scheme (KeyGen, Enc, Dec) is CCA-2 secure. Thus, we have found an ad-versary A that breaks the circular security of (KeyGen, Enc, Dec) but on the other hand (KeyGen, Enc, Dec) is CCA-2 secure even given oracle access toA.

Remark. Our black-box impossibility result only considers reductions that treat both the adversaryand the primitive (in our case the encryption scheme) as black boxes. We note that the discussion preceding the proof of Theorem 17 shows that a reduction that uses only the adversary as a black-box must query the adversary on keys that are somehow related to the challenge encryption-key. Since such a reduction should work for all bit-encryption schemes, we view this as an additional obstacle to proving the bit-encryption conjecture.

Acknowledgments

I would like to thank Benny Applebaum, Oded Goldreich and Allison Lewko for very helpful conversations and comments.

References

[ACPS09] Benny Applebaum, David Cash, Chris Peikert, and Amit Sahai. Fast crypto-graphic primitives and circular-secure encryption based on hard learning problems. In CRYPTO, pages 595–618, 2009.

(20)

[BGdMM05] Lucas Ballard, Matthew Green, Breno de Medeiros, and Fabian Monrose. Correlation-resistant storage via keyword-searchable encryption. Cryptology ePrint Archive, Report 2005/417, 2005. http://eprint.iacr.org/.

[BGK11] Zvika Brakerski, Shafi Goldwasser, and Yael Tauman Kalai. Black-box circular-secure encryption beyond affine functions. In TCC, pages 201–218, 2011.

[BHHI10] Boaz Barak, Iftach Haitner, Dennis Hofheinz, and Yuval Ishai. Bounded key-dependent message security. In EUROCRYPT, pages 423–444, 2010.

[BHHO08] Dan Boneh, Shai Halevi, Michael Hamburg, and Rafail Ostrovsky. Circular-secure encryption from decision diffie-hellman. In CRYPTO, pages 108–125, 2008.

[BRS02] John Black, Phillip Rogaway, and Thomas Shrimpton. Encryption-scheme security in the presence of key-dependent messages. In Selected Areas in Cryptography, pages 62–75, 2002.

[BS03] Dan Boneh and Alice Silverberg. Applications of multilinear forms to cryptogra-phy. Contemporary Mathematics, 324:71–90, 2003.

[BV11] Zvika Brakerski and Vinod Vaikuntanathan. Efficient fully homomorphic encryp-tion from (standard) lwe. In FOCS, pages 97–106, 2011.

[CL01] Jan Camenisch and Anna Lysyanskaya. An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In EUROCRYPT: Advances in Cryptology: Proceedings of EUROCRYPT, 2001.

[FGHP09] Anna Lisa Ferrara, Matthew Green, Susan Hohenberger, and Michael Østergaard Pedersen. Practical short signature batch verification. InCT-RSA, pages 309–324, 2009.

[Gen09] Craig Gentry. Fully homomorphic encryption using ideal lattices. InSTOC, pages 169–178, 2009.

[GM84] Shafi Goldwasser and Silvio Micali. Probabilistic encryption.Journal of Computer and System Sciences, 28(2):270–299, 1984.

[Gol08] Oded Goldreich. Computational complexity - a conceptual perspective. Cambridge University Press, 2008.

[HH09] Iftach Haitner and Thomas Holenstein. On the (im)possibility of key dependent encryption. InTCC, pages 202–219, 2009.

[HILL99] Johan H˚astad, Russell Impagliazzo, Leonid A. Levin, and Michael Luby. A pseu-dorandom generator from any one-way function. SIAM Journal on Computing, 28:12–24, 1999.

[IN89] Russell Impagliazzo and Moni Naor. Efficient cryptographic schemes provably as secure as subset sum. In FOCS, pages 236–241, 1989.

(21)

[Lin06] Yehuda Lindell. A simpler construction of cca2-secure public-key encryption under general assumptions. J. Cryptology, 19(3):359–377, 2006.

[NY90] Moni Naor and Moti Yung. Public-key cryptosystems provably secure against chosen ciphertext attacks. In STOC, pages 427–437, 1990.

[RTV04] Omer Reingold, Luca Trevisan, and Salil P. Vadhan. Notions of reducibility be-tween cryptographic primitives. In TCC, pages 1–20, 2004.

[Sah99] Amit Sahai. Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security. InFOCS, pages 543–553, 1999.

A

Full Proofs of the KDM Equivalence Lemmas

A.1 Proof of Lemma 13

Let (KeyGen, Enc, Dec) be a public-key bit-encryption scheme that is circular secure with respect to key recovery. Assume toward a contradiction that there exists an efficient adversary

A that breaks the circular security of (KeyGen, Enc, Dec) with respect to message recovery. That is, there exists a polynomialp(·) and infinitely many n∈_Nfor which:

Pr

(e,d)←KeyGen(1n)

b∈R{0,1}

AOe,d₍_{e, Enc}

e(b)) =b

> 1

2+ 1

p(n) (4)

and therefore, using simple manipulations, we have:

Pr

AOe,d₍_{e, Enc}

e(1)) = 1

− Pr

AOe,d₍_{e, Enc}

e(0)) = 1

> 1 p(n) (5)

Henceforth, we only consider n from the infinite set for which Eq. (5) holds. We use A to construct an adversaryA0 that breaks circular security with respect tokey recovery.

For a fixed bitb∈ {0,1}, let

µb(e, d)

def

= Pr

AOe,d₍_{e, Enc}

e(b)) = 1

(6)

and letS be the following set:

S =

(e, d) : µ1(e, d)−µ0(e, d)≥ 1

2p(n)

.

By Eq. (5), we haveEe,d[µ1(e, d)−µ0(e, d)]≥ _p₍1_n₎ and therefore, by Markov’s inequality, the

set S contains at least a ₂_p1₍_n₎-fraction of all key-pairs.

Recall that the key-recovery adversary A0 is given an encryption-key e and access to the KDM oracleOe,d and needs to findd. We show how to recoverdbit-by-bit but only in the case

that (e, d) ∈S. Considering only keys that are in S suffices because S contains a polynomial fraction of all key-pairs, and therefore succeeding only for keys in S gives us a non-negligible probability to succeed in general.

Let (e, d) be a fixed key-pair in S. We proceed to describe an efficient procedure that given e and oracle access to Oe,d, finds d. To do so, we begin by estimating µ0(e, d) and

µ1(e, d). This can be done by taking the average of O(p(n)2n) independent executions of A

(22)

fixed, each invocation is totally independent and by the Chernoff bound, with probability at least 1−2−n, our approximation ˆµb(e, d) will be ₁₆_p1₍_n₎-close to µb(e, d).

Once this initial preprocessing step is complete, we can recover dbit-by-bit. To recover the

i-th bit ofd, the algorithmA0 attempts to approximate

νi(e, d)

def

= Pr

AOe,d₍_{e, Enc}

e(di)) = 1

. (7)

As before, this is done by invoking A with fresh oracle queries and with fresh encryptions of di that are obtained by querying the oracle Oe,d(i). Invoking A independently O(p(n)2n)

times gives us an approximation ˆνi(e, d) that is ₁₆_p1₍_n₎-close toνi(e, d) (with probability at least

1−2−n).

Claim 20. For every(e, d)∈S, except with exponentially vanishing probability,νˆi(e, d)is closer

to µˆdi(e, d) than toµˆ1−di(e, d).

The claim follows from the following straightforward calculation.

Proof. Clearly νi(e, d) = µdi(e, d) and as argued above (except with exponentially vanishing

probability)|νˆi(e, d)−νi(e, d)|< ₁₆_p1₍_n₎ and |µˆb(e, d)−µb(e, d)|< ₁₆_p1₍_n₎. Thus, we have:

|νˆi(e, d)−µˆdi(e, d)| ≤ |ˆνi(e, d)−νi(e, d)|+|νi(e, d)−µdi(e, d)|+|µdi(e, d)−µˆdi(e, d)|

< 1

8p(n).

And on the other hand we have:

>|µˆdi(e, d)−µdi(e, d) +µdi(e, d)−µ1−di(e, d) +µ1−di(e, d)−µˆ1−di(e, d)| −

1 8p(n)

≥ |µdi(e, d)−µ1−di(e, d)| − |µˆdi(e, d)−µdi(e, d)| − |µ1−di(e, d)−µˆ1−di(e, d)| −

1 8p(n)

≥ 1

2p(n) − 1 16p(n)−

1 16p(n) −

1 8p(n)

= 1 4p(n)

where the last inequality follows from the fact that |µdi−µ1−di| ≥

1

2p(n) (since (e, d)∈S).

Therefore, we guess that the i-th bit of d is the bit b such that νi is closer to µb than to

µ1−b and by Claim 20 we are correct (for a particular i) except with exponentially vanishing

probability. Taking a union bound over alliwe find all ofdexcept with exponentially vanishing probability.

We showed that if (e, d)∈S, we finddwith overwhelming probability and sinceS contains a polynomial fraction of all valid keys, in the general case, we finddwith non-negligible probability.

A.2 Proof of Lemma 14

Let (KeyGen, Enc, Dec) be a public-key bit-encryption scheme that is circular secure with re-spect to message recovery. Assume toward a contradiction that there exists an efficient adversary

(23)

of oracles. As remarked in Footnote 16, it may be the case that A directly breaks semantic security, however this directly contradicts our circular security with respect to message recovery assumption. Otherwise, there exists a polynomialp(·) and infinitely many n∈Nfor which:

Pr

AOe,d₍_e_{) = 1}₋ _Pr

AJe₍_e_{) = 1}

≥ 1

p(n) (8)

and without loss of generality19we have:

Pr

AOe,d₍_e_{) = 1}₋ _Pr

AJe₍_e_{) = 1}

≥ 1

p(n). (9)

Henceforth, we only considern∈Nfrom the infinite set for which Eq. (9) holds.

Lett(n) be a polynomial bounding the number of queries thatAmakes to its KDM oracle for security parameter 1n. We useAto construct an adversaryA0that gets as inputt(n) ciphertexts and using access to the KDM oracle, distinguishes between the case that the ciphertexts are all encryptions of 0 and the case that they are all encryptions of 1. Using a standard hybrid argumentA0 can be transformed into a standard message-recovery adversary.

For simplicity, we assume (without loss of generality) that for every security parameter n, all decryption keys have the same (polynomially-bounded) length`def= `(n). For 0≤i≤`, let

H_e,d(i) be the following hybrid oracle:

H_e,d(i)(j) =

(

Ence(0) ifj ≤i

Ence(dj) otherwise

.

Observe thatH_e,d(0) ≡Oe,d and thatH₍(_e,d`)₎ ≡Je. Fori∈ {0, . . . , `} let:

µi(e, d) = Pr

AH

(i)

e,d₍_e_{) = 1}

. (10)

By Eq. (9) we have Ee,d[µ0(e, d)−µ`(e, d)] ≥ _p₍1_n₎. Therefore, by a hybrid argument, there

exists 0≤i∗≤`−1 such that:

E

e,d[µi

∗(e, d)−µ_i∗₊₁(e, d)]≥ 1

p(n)`

We will attempt to find i∗. To do so, note that by the Chernoff bound, except with negligible probability, for every i we can find a ₄_p₍1_n₎_`-approximation of Ee,d[µi(e, d)] by repeating the

following processO((p(n)`)2n) times and taking the average:

1. Select random (e0, d0)←G(1n). 2. OutputAH

(i)

e0,d0₍_e0_{) (note that we can implement the oracle since we have}_d0_).

Therefore, except with negligible probability, we can efficiently find ani∗ such that:

E

e,d[µi

∗(e, d)−µ_i∗₊₁(e, d)]≥ 1

2p(n)` (11)

19